A new adversarial attack method cracks safety guardrails on large language models with a 96.8% success rate using just 100 optimization steps.
Researchers introduced NonTextual Target Attack (NTA), a gradient-based jailbreak technique that works differently from existing approaches. Most current attacks optimize what's called an adversarial suffix — extra text appended to a prompt — to steer the model toward a specific, pre-written harmful response. NTA drops that fixed-response requirement entirely. Instead, it maximizes the raw probability that the model produces unsafe output at all, without caring what form that output takes. To make this mathematically tractable, the team breaks the single hard objective into two smaller differentiable sub-problems and solves them iteratively.
The practical result matters: by not constraining the attack to a particular target response, NTA opens up a much wider search space and finds vulnerabilities that narrower methods miss. On the AdvBench benchmark — the standard test suite for this class of research — NTA outperforms state-of-the-art gradient-based attacks by more than 40 percentage points. That gap is large enough to raise real questions about whether current safety-alignment training is as robust as the labs shipping these models claim.
The attack is a research paper, not a deployed tool, but the direction it points is uncomfortable: every time safety teams close one optimization path, researchers find a formulation that sidesteps the constraint entirely. The arms race continues to favor the attackers, at least on paper.